Cattles' lost backup tapes highlight risk of unencrypted data storage

Information security experts say the loss of customers' personal records by a Yorkshire-based
finance company highlights the dangers of storing data on unencrypted tapes.

Simply put, data left lying around on tape is an easy target
for thieves.

Eoin Blacklock
KeepItSafe

The Cattles Group, which specialises in personal loans and debt recovery, admitted losing two
backup tapes containing information about 1.4 million customers. Although the loss took place at
the end of November, the company has only recently written to customers informing them of the
breach. It has also informed
the Information Commission’s Office and the Financial Services Authority.

Details of the lossAccording to a company statement, the tapes contained the names and addresses of 1.4 million
customers; 600,000 of those records also contained customers’ date of birth and payment history,
data that could be easily exploited by fraudsters for identity theft. The tapes also held data from
Cattles Group’s human resources department about staff working for the Cattles Group since October
2010.

The company said that, although it had no evidence the tapes had fallen into the wrong hands, it
was informing all those affected.

The incident raises the question of why so many companies are still backing up data onto tapes
without encryption, when other potentially more secure methods, such as cloud-based services or remote
backup centers, are available.

According to research by SearchStorage.co.UK published in June 2011, tape
continues to be widely used as a backup medium, and shows no sign of declining. Furthermore,
research by SearchStorage.co.UK found only 22% of companies have deployed data encryption.

This despite several notable data breach or loss events involving tapes or portable media,
perhaps the most notorious being the loss
of CDs by HMRC that contained 25 million child care records in 2007.

Reaction from security professionals“This incident should serve as a warning to other businesses that are still reliant on tape for
backing up sensitive data,” said Eoin Blacklock, managing director at KeepItSafe, a data backup
service run by j2 Global, which has its European headquarters in Dublin. “Simply put, data
left lying around on tape is an easy target for thieves.”

Security professionals said the case demonstrated a lack of the most basic security measures.
“There isn’t really any excuse not to encrypt backups. Encryption is now standard on most current
versions of backup software, and certainly on all the commonly used applications,” said Neil
O’Connor, managing director of Hampshire-based consultancy Activity Information Management.
“Encryption is certainly something we always recommend from a risk assessment – and even more so if
you are handling lots of personal information.”

O’Connor said organisations often fail to encrypt because of inertia, or because they fail to
perform adequate
risk assessments.

More on security of removable storage

Although some organisations might be attracted to backing up information to the cloud, O’Connor
warned this could breach Principle 8 of the Data Protection
Act (DPA), which prevents the transfer of data outside the European Economic Area (EEA) without
proper protection. “If you don’t know where the data is being stored it may be out of the EEA and
subject to local laws that do not adequately support the DPA,” O’Connor said. “You can get
around this by encrypting the data locally before you back it up into the cloud.”

Brian Shorten, head of information risk for the charity Cancer Research UK, said magnetic tape
is likely to remain a popular choice for backups because it is cheap, but recommended using a
backup application that automatically encrypts files. He also advised companies to do regular
checks to make sure they can actually read backups tapes.

“If you encrypt backups before they go off-site, you need to ensure you can read them properly
if you ever need to,” Shorten said. “You need a process for keeping the tapes secure, and for
keeping the encryption keys to read them again, but separate from the tapes. A lot of this really
is common sense.”

David Lacey, director of research for the professional group ISSA-UK, said moving unencrypted
tapes are fraught with danger. “I recall one leading bank that moved offices, but forgot to inform
its post room about the need to use a secure courier,” he said. “Encryption should be mandatory for
all offline media. With modern solutions such as self-encrypting drives, there's no performance
overhead. Enterprises should make it their New Year resolution to update their backup systems.”

O’Connor predicted Cattles Group is likely to receive a heavy punishment from the Financial
Services Authority (FSA). In August 2010, the FSA
fined Zurich Insurance £2.275M after a back-up tape containing unencrypted personal details on
46,000 policy holders went missing in transit.

Email Alerts

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Google is the latest of the tech giants hiring Wall Street hotshots. The CIO lesson? Partner with your CFO if you want to get ahead. Also in Searchlight: Facebook turns Messenger into an ecosystem; Twitter faces a gender bias lawsuit.